Chrooted SFTP does not log username after installing KB5044281

[anttihookoo]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest version
• Search the existing issues.

Steps to reproduce

After KB5044281 update, we cannot see username in eventlog for SFTP uploads or any other commands. Before update, real username was listed in USER field. Now there is only SYSTEM as a user for all operations. SFTP Server is configured as chrooted (users cannot move away from their home directories).

The big guestion is, is this a new feature, or will it be fixed? Solving integration (sftp) related problems is almost impossible, without knowing which user is doing what.

Expected behavior

Logging (to eventlog, which is the recommended way) should include username, who did the operation (upload, download rename etc).

Actual behavior

In eventlog entries all operation are made by User: SYSTEM

Error details

No response

Environment data

PS C:\Windows\system32> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.20348.2760
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.2760
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

PS C:\Windows\system32> ssh -V OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2

Visuals

No response

[tgauth]

Thanks for opening an issue - this looks to be a result of forwarding messages back to the parent SSHD process (running as SYSTEM) to permit logs from both admin and non-admin users. I think I can add the username to the log message so the information is still captured.

[anttihookoo]

Thank you so much for reply @tgauth :)
We are really strugling with this issue. We have hundreds of SFTP integrations and it's now very hard to solve integration related problems. Also reporting is currently impossible.

[anttihookoo]

Actually one thing to mention. I originally solved permission problem for non admin users to write Application Eventlog. I used command:
wevtutil get-log "openSSH/Operational" to get current permissions.

Then get selected AD group SID with this command:
Get-ADGroup my-allowed-sftp-adgroupname.

After that, just combined these two by adding SID from the second command to the end of permissions list which I got from first command like this: (A;;0x3;;;S-1-5-21-2.....SID_From_the_1st_command)
Note: (0x3 = Write Access, 0x1 = Read Access)

Finally I created group policy and added combined permission set in the next GPO field.
Computer\Policies\Administrative Templates\Windows Components\Event Log Service\Application\Configure log access

I'm not sure if this helps, but this is how I got it working (allowed regular users to write eventlog)